There are many, many comparisons out there on the Internet of Docker versus
Vagrant. Usability, scalability, portability, you-name-it-ability.

This blogpost is about some different security aspects about the current
implementation of Docker versus Vagrant. It's a high, high-level comparison of
the security impact for the host system.

Can you compare the two ? Not really, they're being used for completely
different reasons. Docker is wildly popular for medium to large scale production
webserver deployments and microservices, where each service has its own process,
or container. Vagrant is more being used during design and development by
individual developers, or in teams at companies.

So, having said that, let's compare the security differences in
high-level:

Docker

Partial isolation from the host

Shares the kernel with the host.

Resources aren't guaranteed, they're shared.

Uses runC/libcontainer as runtime (before version 1.8 it used linux
containers (lxc) under the hood, then libcontainer, and since the
inception of the Open Container Initiative it uses runC which
abstracts even further away from libcontainer). System resources can
be allocated using control groups (cgroups): block devices
(blkio), CPU (cpu), CPU accounting (cpuacct), individual CPU and
memory nodes (cpuset), devices, task management (freezer), memory
usage (memory), network packets (net_cls), network priority
(net_prio), namespaces (ns) and performace analysis (perf_event).

Implements network isolation, each Docker container has its own
network stack (zero or more network interfaces).

Uses namespaces to isolate processes and therefore containers.

Secures the host, and each of the containers running on the host
using apparmor.

Vulnerabilities in the container will not affect the host.

Vulnerabilities in Docker directly affect the host.

Vagrant

Full isolation from the host

Runs its own kernel on top of the virtual machine environment.

Resources are guaranteed in advance.

Vulnerabilities in the host operating system will not affect the
host.

Vulnerabilities in the virtual machine environment could affect the
host.

Docker seems to give systems administrators a much more fine-grained
control set to tune the security. And that's exactly what I personally
think still, in 2017, is currently the weak spot: There are simply too
much locations that a DevOps engineer or systems administrator needs to
think of to properly secure the host from the container(s).

When something is easy to do, and is enabled by default, people will use
it. At the moment, configuring and hardening Docker is much easier than
it was, but still - not easy. The same reason why (unfortunately)
SELinux isn't widely deployed. It's too complex - and complexity is the
enemy of security.